Recently, a VirusTotal submitter uploaded a file that was digitally signed with the same certificate as two previously reported Lazarus tools. Like one of those tools, this newly uploaded malware appears to act as an injector, although it behaves significantly differently.
This blog post offers a brief analysis of the features and purpose of this injection tool, as well as a comparison with a previously identified injection tool that behaves significantly differently and likely serves a different operational purpose.
Update 20 October, 2019: A small section towards the bottom of this post has been updated to reflect this malware’s strong resemblance to a file described in a US-CERT Report in late 2018. The file in that report served as an injector for the FASTCash AIX malware. Given this file’s similarity, it is highly likely that this file is intended to perform a similar function, but on a Windows environment.
In May and June, two files were submitted to VirusTotal that were signed with the same digital certificate and were connected to the SWIFT-heist wing of the DPRK. One file is re-themed version of the fake resume creating tool used in the Redbanc and Pakistan attacks. The second file is a tool used to inject and run payloads inside of explorer.exe.
This brief post documents the capabilities of this second tool.
Yesterday, at SAS2019, BAE Systems presented findings related to DPRK SWIFT heist activity that took place in 2018. As part of this research (a leaked video of the presentation is available online), BAE included two key points not previously disclosed in the public domain:
– The existence of a PowerShell backdoor attributable to DPRK, which the researchers dubbed PowerBrace – A possible overlap between TA505 intrusions and DPRK intrusions, suggesting a possible hand-off between the two groups.
This blog will leave a full analysis of those two points and the supporting context to the people that found them, as it’s theirs to share; however, data that may support such conclusions havebeen available in open source for quite some time.
In early January, VNCert issued an alert regarding attacks targeting financial institutions, containing a mix of DPRK IOCs (including a keylogger referred to as PSLogger previously analyzed by this blog), TA505 IOCs (previously published by 360 TIC), and a handful of PowerShell scripts that are generally identical aside from a handful of configuration changes. Furthermore, the aforementioned keylogger was first uploaded by a submitter (fabd7a52) in Pakistan in December 2018. That same submitter acted as the first uploader for one of the PowerShell samples identified below (b88d4d72fdabfc040ac7fb768bf72dcd), further corroborating a possible link.
Given the multi-sourced reporting overlaps and the additional Pakistan findings mentioned above, this blog assesses that the PowerShell scripts in question likely belong to the same family of DPRK-attributable malware reported by BAE systems.
A listing of selected IOCs is below the fold, alongside a few brief notes (and a script) for how to analyze the PowerShell malware.
On 10 January 2019, Spanish-language media outlets reported an attempted intrusion into Redbanc, a Chilean interbank network. Components of the malware used in this attack share characteristics with toolsets typically attributed to North Korean adversaries, including tools possibly related to operations against other financially-affiliated entities in Vietnam. Furthermore, additional public data suggests with low confidence the possibility of similar activity taking place in Pakistan.
Per the aforementioned Spanish-language media reporting, the attempted intrusion into Redbanc’s network occurred when an employee attempted to apply for a (fake) developer position via LinkedIn and was contacted by the adversary. After establishing a relationship with the developer, the adversary requested that the developer install a program named “ApplicationPDF.exe,” which allowed the adversary onto the network.
ApplicationPDF.exe is written in .NET and has two primary purposes: 1) The file presents a fake job application form to the user in which they can fill in personal details 2) At launch, the file contacts the C2 server to download and execute a PowerShell payload
The mechanism for Workflow 2 (the malicious component) is simple: the application decodes a Base64 encoded string (the C2) and passes this variable and a file path variable (c:\users\public\Reg_Time.ps1) to a GET request. The response is written and executed to disk. While this would ordinarily prevent the payload from being examined via static or isolated analysis, an online sandbox report captured the file during its interactions with the C2. This .NET downloader also contains a hardcoded HTML-based version of the application, decoded and rendered once the user clicks through the initial presented form.
Reg_Time.ps1 is a two-layer PowerShell script. The first layer contains an Base64 encoded block of encrypted text as well as a decoding function designed to decrypt this text:
By using PowerShell’s “add-content” cmdlet, the decrypted content can be written to disk for analysis:
Although a handful of logging lines and variables have changed slightly over time, this file largely matches the PowerSpritz family, publicly identified by Proofpoint in December 2017. The malware contains hardcoded paths for VBS and PS1 files along with a hardcoded C2. The malware accepts the following commands:
kagent – Interrupts the command routine
dagent – Deletes the malware from the disk, deletes any additional dropped scripts, and removes the log file
ok – Sleeps the malware before continuing to process commands
delay – Modifies the sleep interval
panel – Decrypts C2 response and then breaks into sub-commands: “Sdel” overwrites the bytes of a file, “run” writes the contents of a command to the user’s en:temp path and then executes this via PowerShell before removing the written content, and if no sub command is specified, the malware writes a command to disk and executes it via cmd.exe
exagent – Removes the VBS and PS1 files. Comments within the code suggest that it should modify these files; however, this command contains no functionality to write new code.
ragent – Downloads and decypts the contents of an encoded executable file to a .ps1 file, then executes it.
In addition, the malware logs (in encrypted and then Base64-encoded form) certain status information to “c:\windows\temp\tmp0914.tmp.” It also sends device information (e.g. architecture, language, IP address, registry proxy settings, etc.) to the C2.
Vietnam VNCert Alert
In late July, VNCert reported IOCs affiliated with attempted intrusions against banking infrastructure in Vietnam.
The alert included two IP addresses (38.132.124[.]250, 89.249.65[.]220) as well as two files: syschk.ps1 MD5: 26466867557f84dd4784845280da1f27 SHA1: ed7fcb9023d63cd9367a3a455ec94337bb48628a SHA256: 791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6
Of these two files, hs.exe is a well-known tool affiliated with previous suspected DPRK financial intrusions (solid technical and linguistic analysis of these two files is publicly available from BAE Systems here and here), strongly suggesting that DPRK-affiliated adversaries were also responsible for this Vietnam-centered activity.
Syschk.ps1, at face value, is an entirely different script from the one analyzed above: it decodes and reflectively injects a basic keylogging tool into memory (more details on this keylogger will be provided in a follow-up post); curiously, though, this script contains a variable named “$ProID” that is not as common as one might suspect. This variable triggers a YARA rule generated from the same Proofpoint December 2017 PowerSpritz reporting; while these would normally be low-confidence connections, the context and additional suspected DPRK-affiliated file help tie this malware and Vietnam-centered activity to both the Proofpoint reporting and the Redbanc attack.
As an additional datapoint, syschk.ps1 deletes a file via “remove-item” at “c:\windows\temp\TMP0389A.tmp” which is a similarly named file (at the same directory) as the logs created by the PowerSpritz file from the Redbanc intrusion.
Possible Activity in Pakistan
The keylogger identified by VNCert will be examined at greater detail in a subsequent post; however, it’s worth mentioning that the keylogger contains striking similarities to another file submitted publicly:
A VirusTotal comment from a reputable researcher suggests that this file has been used by the same adversary and has been “mainly spread in South Asia,” and the first submission for this file is a “community” tagged submission in Pakistan (suggesting it was uploaded manually). This file contains a reference to the same “c:\windows\temp\TMP0389A.tmp” filepath when run, contains similar (but not identical) strings, largely performs the same actions, and uses the same library for capturing the user’s desktop. Unfortunately, no public reporting has been identified that would tie this file to any known intrusion or intrusions.